CVE-2026-28790
Received Received - Intake
Broken Access Control in OliveTin Allows Unauthorized Action Termination

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
olivetin olivetin to 3000.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28790 is a broken access control vulnerability in OliveTin versions prior to 3000.11.0. It allows unauthenticated guests to terminate running actions by calling the KillAction RPC directly, even when the configuration option authRequireGuestsToLogin is enabled. Although guests are blocked from accessing the dashboard, they can bypass authentication to stop legitimate running actions, causing unauthorized denial of service.

The root cause is inconsistent authorization enforcement: the dashboard access requires guest login, but the KillAction RPC does not enforce this properly. The configuration sanitization disables guest permissions for most actions but leaves the kill permission enabled, allowing guests to execute kill commands without authentication.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated users to disrupt running actions or jobs in OliveTin. Attackers can terminate legitimate processes without any credentials, causing unauthorized denial of service. This can interfere with privileged operations and disrupt multi-user environments where actions may run for extended periods.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated guests being able to call the KillAction RPC directly to terminate running actions. Detection involves monitoring for unauthorized KillAction RPC calls originating from guest or unauthenticated users.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by checking server logs for KillAction requests authenticated as "guest" or unauthenticated users, especially those that result in termination of running actions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires knowledge or prediction of a valid executionTrackingId, monitoring network traffic for suspicious RPC calls to the KillAction endpoint can help identify attempts.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your logging and monitoring setup, but examples include:'}, {'type': 'list_item', 'content': "Using grep or similar tools on server logs to find KillAction calls by guest users, e.g., `grep 'KillAction' /path/to/olivetin/logs | grep 'guest'`."}, {'type': 'list_item', 'content': 'Using network monitoring tools (like tcpdump or Wireshark) to filter for RPC calls to the KillAction endpoint.'}, {'type': 'list_item', 'content': 'Checking application logs for HTTP 403 responses on dashboard access but successful KillAction RPC calls from unauthenticated sources.'}] [3]

Mitigation Strategies

The primary mitigation is to upgrade OliveTin to version 3000.11.0 or later, where this vulnerability has been patched.

The patch disables the default permission for the Kill action for guests, preventing unauthenticated users from invoking KillAction.

If immediate upgrade is not possible, consider restricting network access to the OliveTin service to trusted users only, preventing unauthenticated guests from reaching the KillAction RPC endpoint.

Additionally, review and tighten access control configurations, ensuring that guest users cannot perform privileged actions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart